Machine identities and digital trust: An election security case study

As the 2024 presidential election approaches a week from today, the concept of “trust” is at the forefront of the public’s mind. Trust might immediately suggest deepfake photos or the big promises presidential candidates make to voters. However, trust extends beyond these examples to the technological foundation of connected devices upon which this election sits: voting machines.

The security of voting machines and ballots was a popular topic in the 2020 race, but more interestingly, securing these entities and building back public trust is also an excellent example of the value of comprehensive machine identity management. This practice can extend beyond political administrators and voting technicians to business leaders in all verticals grappling with ransomware, complex enterprise ecosystems, and the looming quantum threat. Building digital trust in an enterprise system and ensuring voting technology operates securely are more similar than initially meets the eye.

Every Machine, Identified and Managed

A consistent, compliant, and reliable network of connected devices supports the integrity of the electoral process. According to the MIT Election Data and Science Lab, various technologies enable modern voters to cast their votes—from the traditional paper ballot to direct-recording electronic (DRE) devices—each of which is a critical factor in the final count.

The most preliminary step in fostering digital trust in this system, or any system, is confirming that every machine has an identity and that each of those identities is properly managed and secured. This web of connected machines for an enterprise might include laptops, tablets, phones, servers, webpages, and more. In the realm of election security, however, this network will include voter machines, ID scanners, and even optical or other biometric verification at voting centers. A lapse in the digital certificate for a given voting machine can compromise the validity of the ballots counted by its software, leading to larger problems for the county and broader state. The same applies to an optical or ID scanner, making visibility into the statuses of these entities an important part of digital trust.

Another potential weakness in the election process is the manufacturing of election machines. Companies that design and manufacture election products, known as original equipment manufacturers (OEMs), are held responsible for testing, certification, and provisioning of their products. Suppose an election device or scanner is created securely at the OEM. In that case, the responsibility then shifts to the operator, like a municipal body, to take over and oversee deployment, monitoring, and eventually, decommissioning of any machine identities.

If either the devices are corrupted or a part of the manufacturing process is noncompliant, this opens the door for potential misuse and abuse. The same can be said of machine identities in an enterprise. Involving security teams early and often in the manufacturing and monitoring ballot-counting devices will ensure that each identity does not become a potential attack point for bad actors. The first step toward digital trust is to establish visibility into the exact identities and certificates that exist in the voting network. Unfortunately, other factors increase the difficulty in keeping election information and processes secure and compliant — the same ones that often affect modern companies, too.

The Added Complexities of Criminal Activity and Quantum Computing

The stakes on secure voting and connected machines have been further heightened by the increased activity of threat actors, including ransomware gangs. In 2024, voter information was taken in a ransomware attack on Fulton County, Georgia. The LockBit ransomware group accessed sensitive data, including residents’ personal information, threatening to leak it online if payment was not made.

Quantum computing and “Q-Day” promise a similar challenge for compliant voting procedures. With the creation of a quantum computer, transmissions about the outcome of an election or any encryption protecting ballot machines can be known or broken before a governing body sanctifies the results. “Harvest Now, Decrypt Later” (HNDL) tactics also mean that any encrypted data stolen today can fall victim to quantum-powered hacking in the future — as the bad actor can store the information later when quantum computing abilities are possible. PKI principles, like digital signatures on voting machines, can prevent any lapses in security or compliance, and election officials might consider choosing a partner with IoT security experience to support their voting network. This partner can automate the lifecycles of voting machines, allowing monitoring throughout the full ecosystem and confirming that all entities are always compliant — from the OEM to post-election.

Business Takeaways From Election Security

Election security represents a high-profile use case for machine identity management from which business leaders should take caution. Securing the ever-increasing number of devices and entities should constitute a critical concern for companies across industries.

In response, both election officials and industry executives must prioritize IoT security by embedding it from the start of machine identity creation. Collaborating with experts, particularly security professionals, can help bridge knowledge gaps and ensure all parties maintain proper visibility and compliance within their device ecosystems. Regardless of the outcome, organizations will be better positioned to safeguard against the rising risks of IoT vulnerabilities.